Acceptable Use Policy

This document is the Ministry of Justice (MoJ) Acceptable Use Policy. It provides the core set of security principles and expectations on the acceptable use of MoJ IT systems.

To help identify formal policy statements, each is prefixed with an identifier of the form: POL.ITAUP.xxx, where xxx is a unique ID number.

Related information

Technical Controls Policy

Introduction

MoJ IT systems and services are first and foremost provided to support the delivery of the MoJ’s business services. To achieve this, most MoJ users are provided with an appropriate general purpose computer environment, and access to services and communication tools such as email and the Internet.

This policy outlines the acceptable use of MoJ IT systems and services, and the expectations that the MoJ has on its staff when accessing or using those systems or services.

Scope

This policy covers all Users (including contractors and agency staff) who use MoJ IT systems or services.

Failure to adhere to this policy might result in:

• Suspension of access to MoJ IT systems and services.
• For MoJ employees, disciplinary proceedings up to and including dismissal.
• For others with access to MoJ IT systems and services, including specifically contractors and agency staff, termination of contract.

POL.ITAUP.001: All Users shall be made aware of the Acceptable Use Policy (this document), and provided with security awareness training which covers this policy.

POL.ITAUP.002: All Users shall undergo refresher security awareness training covering this policy, every 12 months.

Protection of assets

It is paramount that all Users protect the confidentiality of information held on, processed, and transmitted by MoJ IT systems. All Users have a role in protecting the information assets which are under their control, or that they have access to.

MoJ IT systems have been designed to protect the confidentiality of the data held on them. However, maintaining this requires the application of, and adherence to, a clear set of operating procedures by all Users. These are collectively known as Security Operating Procedures (SyOPs).

It is important that all Users of an IT system, including support and system administrative Users, are familiar with these SyOPs, and are provided with the appropriate training.

POL.ITAUP.003: All IT systems shall have, and maintain, a set of Security Operating Procedures (SyOPs). For systems undergoing an assurance process, these SyOPs shall be included as part of the assurance.

POL.ITAUP.004: All Users of an IT system, including support and system administrative staff, shall read the applicable SyOPs, and shall acknowledge that they have both read and understood the SyOPs before being granted access. A record shall be kept of a User being granted access, and made available for review during assurance, or upon authorised request.

POL.ITAUP.005: All Users shall be made aware that non-conformance to the system SyOPs constitutes a breach of the MoJ IT Security Policy, and might result in disciplinary action.

POL.ITAUP.006: Any change to an IT system’s SyOPs shall be approved through an assured change control process, before the change is made.

POL.ITAUP.007: Any request to perform an action on an IT system which contravenes its SyOPs shall be approved by the Security team before the action is taken.

For most Users, access to MoJ IT systems and information held on them is through a desktop device, a laptop, or a mobile or remote device. These devices have the capacity to store large amounts of potentially sensitive information assets. It is important that Users follow Information Management processes and handling guidelines to ensure information is stored and accessed appropriately. Further information on information handling is provided in the Information Classification and Handling Policy.

General Security Operating Procedures (SyOPs)

The policy refers to a key set of general SyOPs, as follows:

• Privileged User Guide.
• System Users and Application Administrators.
• Remote Working.

To minimise the number of SyOPs in circulation and standardise procedures, the SyOPs listed previously act as the primary set, which individual IT systems are expected to conform to, in terms of their own SyOPs. Any deviations or additions are dependent upon approval through the assurance process.

POL.ITAUP.008: All IT systems shall have documented SyOPs which comply with the general SyOPs listed in this policy. Any deviations or additions shall be recorded in separate SyOPs which form an addendum to one of the SyOPs listed.

Note: An IT system may make use of, in their entirety, one or more of the SyOPs listed in this policy if the procedures of that IT system do not deviate from those described in the general SyOPs.

Removable Media

Removable storage media include devices such as USB memory sticks, writeable CDs or DVDs, and external drives. These devices might contain large amounts of protectively marked data, and so pose a significant risk to the confidentiality of the data they hold. As such, the MoJ controls the use of removable media through SyOPs, technical security controls, and by requiring movements of bulk data to be authorised by using a Data Movement Form.

POL.ITAUP.009: Any removable media device shall be approved by MoJ security, where that device is used to store protectively marked data. The type of device and associated SyOPs shall be approved by MoJ security before operational use.

POL.ITAUP.010: All Users shall ensure that all data stored on or transported by removable media is in accordance with the applicable system SyOPs.

POL.ITAUP.011: All Users shall seek approval from the Security team prior to any bulk transfer of protectively marked data using removable media. MoJ security advises on any technical and procedural requirements, such as data encryption and handling arrangements.

Passwords

A username and password combination is the primary access credential used for authenticating a User to MoJ systems, and authorising User access to information assets and services provided by that system. It is therefore important that Users keep their access credentials safe and secure.

POL.ITAUP.012: All Users shall not share or disclose any passwords with any other person.

POL.ITAUP.013: All Users shall not:

• Attempt to gain unauthorised access to another User’s IT account.
• Attempt to use another Users access credentials to gain access to an MoJ system.
• Attempt to access information for which they do not have a ‘need-to-know’.
• Use the same password on more than one MoJ system.

Legal and regulatory requirements

There are a number of legal and regulatory requirements that the MoJ must comply with. These obligations are in addition to HMG security policy, as expressed in the HMG Security Policy Framework.

POL.ITAUP.014: All Users shall be made aware of legal and regulatory requirements that they shall adhere to when accessing MoJ systems. These requirements shall be included as part of the SyOPs.

MoJ Corporate Image

Communications sent from MoJ systems, or products developed using them, such as MoJ branded documents or presentations, might damage the public image of the MoJ if they are for purposes not in the interest of the MoJ, or they are abusive, offensive, defamatory, obscene, or indecent, or of such a nature as to bring the MoJ or any its employees into disrepute.

POL.ITAUP.015: All Users shall ensure that MoJ systems are not used in an abusive, offensive, defamatory, obscene, or indecent way, or are of such a nature as to bring the MoJ or any its employees into disrepute.

Potential to cause offence and harm

The MoJ has a duty of care to all staff, and to provide a positive working environment. Part of this duty involves ensuring all staff maintain a high standard of behaviour and conduct.

POL.ITAUP.016: MoJ systems shall not be used for any activity that causes offence to MoJ employees, customers, suppliers, partners, or visitors, or used in a way that violates the MoJ Code of Conduct.

Personal use

The MoJ permits limited personal use of its IT systems, provided this use does not conflict or interfere with normal business activities. The MoJ monitors the use of its IT systems. Any personal use is subject to monitoring and auditing, and might also be retained in backup format, even after deletion from live systems.

The MoJ reserves the right to restrict personal use of its IT systems. The main methods employed are:

• Filtering of Internet and email traffic. All Internet and email traffic is filtered and analysed. Further details are available.
• Policy and procedures. This policy and associated SyOPs set out the restrictions placed on the use of MoJ systems.

POL.ITAUP.017: Users shall ensure that any personal use of MoJ systems does not conflict or interfere with normal business activities. Any conflict shall be reported to the User’s line manager.

POL.ITAUP.018: Users shall ensure that any personal use of MoJ systems is consistent with any applicable SyOPs, and with this acceptable use policy.

POL.ITAUP.019: Users shall be aware that any personal use of MoJ systems which contravenes any applicable SyOPs, or this acceptable use policy, constitutes a breach of the IT Security Policy and might result in disciplinary action.

Maintaining system and data integrity

Users shall comply with all applicable operating procedures, and ensure that they do not circumvent any security controls in place. Changes to the configuration of an IT system which affect either the integrity of that system or the integrity of shared data shall be undertaken or supervised by an authorised User or system Administrator.

POL.ITAUP.020: All Users shall request any changes to systems or equipment through the IT Service Desk. Further details are provided in the System Users and Application Administrators guidance.

Electronic messaging and use of the Internet

Due to the risks associated with electronic communications such as email and the Internet, the MoJ controls and monitors usage of MoJ systems in accordance with applicable legal and regulatory requirements.

IT systems are designed to protect the MoJ from Internet-borne attacks, to reduce the risk of MoJ information being leaked or compromised, and to support the MoJ in providing a safe working environment. This is mainly achieved through the filtering and monitoring of all Internet and email traffic.

Also, the use of any high bandwidth services, such as video streaming websites, might create network capacity issues, causing poor performance affecting important MoJ services. Therefore, the MoJ restricts access to the Internet, based on job role. Amendments can be made on the submissions of a business case for approval by the MoJ Security team.

The MoJ regards as a disciplinary offence any usage of electric communications, such as email and other methods including instant messaging and the Internet, which breaks the law, contravenes MoJ HR policies, or involves unauthorised access to or handling of material that is deemed to be inappropriate, abusive, offensive, defamatory, obscene, or indecent.

External email and the Internet are, in general, insecure services where it is possible for external entities to intercept, monitor, change, ‘spoof’, or otherwise interfere with legitimate content. The MoJ deploys a number of security controls to protect its Users from Internet- and email-borne attacks. However, these controls are reliant on Users remaining vigilant, following any applicable SyOPs, and reporting any suspicious behaviour.

POL.ITAUP.021: All Users shall use the Internet, email, and other electronic communication systems only in accordance with this acceptable use policy document.

Managing email use

Users are responsible for ensuring that all information is handled in line with the protective marking of that information, in accordance with the Information Classification and Handling Policy.

The MoJ is connected to the Government network, which provides a secure environment for sending or receiving emails between Government departments. This allows Users with an MoJ email account (normally with the suffix ‘@justice.gov.uk’) to send Official emails with handling caveats such as Sensitive to another MoJ or government User, where their email suffix ends in ‘gov.uk’.

POL.ITAUP.022: All Users shall ensure that information contained within or attached to an email is handled in accordance with the Information Classification and Handling Policy.

Email is a major source of malware, and a route into the MoJ for criminal organisations. It might be used to defraud staff, or to exfiltrate information. All Users shall exercise care when handling emails, and report any suspicious activity as an IT security incident.

POL.ITAUP.023: All Users shall ensure that they do not:

• Open any attachments to an email where the source is untrusted, unknown, or unsolicited.
• Click on any links within an email, where the source is untrusted, unknown, or unsolicited.

POL.ITAUP.024: Where a User suspects that an email received is from an untrusted, unknown, or unsolicited source, they shall report it as an IT security incident.

Connectivity and remote access

Remote access is provided to MoJ systems and services, allowing Users access from offsite and home locations to connect in. The main methods of access are either via a laptop or other mobile device. Normally, remote access is to a protected MoJ IT system. Users should be aware of the security controls and procedures of the devices and systems being used, as well as any applicable general physical security considerations. This includes any restriction on the carriage of such devices, as they might contain HMG protectively marked data, or HMG cryptographic material.

MoJ security maintains a list of countries where carriage and use of remote access devices is permitted.

Further details can be found in the Remote Working guidance.

POL.ITAUP.025: All Users shall be aware of the Remote Working guidance, and shall confirm that they have read and understood it before being provided with any remote access devices or equipment, such as an encryption or access control token.

POL.ITAUP.026: Any User wishing to take a remote access device out of the UK shall consult the Remote Working guidance before doing so, and the applicable device IT Security Operating Procedures document.

Monitoring of communications

Communications can be monitored without notice, and on a continual basis, for a number of reasons. These include compliance with legal obligations, effective maintenance of IT systems, preventing or detecting unauthorised use or criminal activities such as cyber-intrusion, monitoring of service or performance standards, providing evidence of business transactions, and checking adherence to policies, procedures, and contracts.

The MoJ monitors telephone usage, network, email, and Internet traffic data, including sender, receiver, subject, attachments to an email, numbers called, duration of calls, the domain names of websites visited, the duration of visits, and files uploaded or downloaded from the Internet, at a network level.

The MoJ, so far as possible and appropriate, respects User privacy and autonomy whilst they are working, but in accordance with the personal use information, any personal use of MoJ systems is also subject to monitoring. By carrying out personal activities using MoJ systems, Users are consenting to the MoJ processing any sensitive personal data which might be revealed by such monitoring, such as regular visits to a set of websites.

For the purposes of business continuity, it might be necessary for the MoJ to access business communications, including within email mailboxes, while a User is absent from work, including for a holiday and because of illness. Access is only granted through submission of a formal request to the IT Service Desk, where approval is required from the relevant line manager. The MoJ Chief Information Security Officer (CISO) and MoJ HR are normally consulted as well, before access is granted.

POL.ITAUP.027: All Users shall be aware that their electronic communications are being monitored in accordance with this acceptable use policy.

POL.ITAUP.028: All Users shall be aware that business communication such as email mailboxes might be accessed if they are absent from work. This access is normally requested through, and authorised by, the User’s line manager. The MoJ CISO and MoJ HR are normally consulted as well, before access is granted.

Data protection considerations

Acceptable use considerations apply to the storage of personal data. This storage includes data hosting in ‘cloud’ environments, or within services or databases hosted or administered outside:

• The UK.
• The European Economic Area (EEA).
• Countries with an Adequacy Decision (an ‘Adequacy Decision Country’ or ADC).

POL.ITAUP.029: The default position is that MoJ personal data shall not be transferred to or through, or stored, in the US or elsewhere outside the UK, EEA, or an ADC, other than in exceptional circumstances.

This position also applies where a supplier uses cloud storage facilities in the UK, EEA, or an ADC, but their employees outside the UK, EEA, or the ADC are able to view the information for activities such as maintenance or trouble-shooting. The effect of this access is equivalent to the personal data being held outside the UK, EEA, or an ADC.

The reason for this position is that even with additional contractual clauses, the MoJ cannot ensure protection of its personal data stored outside the UK, EEA, or an ADC, due to some government surveillance laws.

POL.ITAUP.030: A supplier based in the UK, EEA, or an ADC, and which stores client data in the UK, EEA, or an ADC, should be considered first and preferred where possible.

POL.ITAUP.031: If an alternative supplier cannot be sourced, then a Standard Contractual Clause (SCC) and a Transfer Impact Assessment (TIA) shall be completed.

These documents are reviewed by the Data Protection Team, after which the transfer might be approved. A template for these documents can be requested from DataProtection@justice.gov.uk

POL.ITAUP.032: If the outcome of the assessment does not support the transfer and storage of information outside the UK, EEA, or an ADC, the Information Security and Risk (ISR) Board shall review the case, and if appropriate, accept the risks in order for the supplier to be used.

POL.ITAUP.033: This acceptable use policy for MoJ personal data shall apply to:

• An existing supplier changing the location of its servers, storage, or services outside the UK, EEA, or an ADC.
• New suppliers.

Data protection acceptable use protocols and standard operating procedures

The Data Protection Team has produced a number of Acceptable Use protocol documents, providing specific data protection guidance.

The documents are available on the MoJ Intranet, or by contacting the Data Protection Team.

The documents are as follows:

• Acceptable Use Protocol Commercial and Contract Management
• Acceptable Use Protocol Subject Access Requests
• Acceptable Use Protocol Storage of Personal Data
• Acceptable Use Protocol Data Subjects’ Rights
• Acceptable Use Protocol Processing of People Data
• Acceptable Use Protocol Analytical Platform
• Acceptable Use Protocol Recording

There are also a number of Standard Operating Procedures (SOP)s, including:

• Personal Data Risk Management
• Data protection impact assessment guidance
• Data sharing agreement assessment

For more information on these protocols and procedures, contact the Data Protection Team.

Contact details

For any further questions or advice relating to security, contact: security@justice.gov.uk.

Feedback

If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: itpolicycontent@digital.justice.gov.uk.